The particular app that was Trojanized in this attack was a racing game called “Fast Racing.” For a game, this Trojanized version needs a lot of permissions—more than is typical for something similar.

When the infected phone boots, the malware starts a service called Market, probably a trick that the malware writer crafted to make the user think it is harmless.

Like previously found Android malware, this monitors affected users’ incoming text messages. Once a message is received, it will record its contents and sender information then copies this to a .TXT file called zjsms.txt. Logs of incoming and outgoing calls are also kept and saved as zjphonecall.txt.

This malware is also capable of communicating with a remote command-and-control (C&C) server, which is currently located at http://{BLOCKED}r.gicp.net. Unlike previously detected Android malware, which used hard-coded server URLs, however, this connects to alternative servers if instructed by its current C&C server. It can also update itself, which may be an attempt to evade detection and removal.

Regardless of C&C server, it can “phone home” and send the device information like device ID, subscriber ID, and SIM serial number to http://{C&C server}/zj/RegistUid.aspx?. It can also upload files, including call and SMS logs to http://{C&C server}/zj/upload/UploadFiles.aspx, as well as receive commands from a server by accessing http://{C&C server}/zj/allotWorkTask.aspx. In addition to changing servers and downloading updates, it can receive the following commands:

installuninstall apps

make a call

send a text message

It appears that Android malware writers have added new features that used to be only common in the desktop environment to their mobile threats.